Java Code Examples for sun.security.krb5.internal.Krb5#ASN1_PARSE_ERROR

The following examples show how to use sun.security.krb5.internal.Krb5#ASN1_PARSE_ERROR . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: KrbAsReqBuilder.java    From dragonwell8_jdk with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieves an array of secret keys for the client. This is used when
 * the client supplies password but need keys to act as an acceptor. For
 * an initiator, it must be called after AS-REQ is performed (state is OK).
 * For an acceptor, it can be called when this KrbAsReqBuilder object is
 * constructed (state is INIT).
 * @param isInitiator if the caller is an initiator
 * @return generated keys from password. PA-DATA from server might be used.
 * All "default_tkt_enctypes" keys will be generated, Never null.
 * @throws IllegalStateException if not constructed from a password
 * @throws KrbException
 */
public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException {
    checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys");
    if (password != null) {
        int[] eTypes = EType.getDefaults("default_tkt_enctypes");
        EncryptionKey[] result = new EncryptionKey[eTypes.length];

        /*
         * Returns an array of keys. Before KrbAsReqBuilder, all etypes
         * use the same salt which is either the default one or a new salt
         * coming from PA-DATA. After KrbAsReqBuilder, each etype uses its
         * own new salt from PA-DATA. For an etype with no PA-DATA new salt
         * at all, what salt should it use?
         *
         * Commonly, the stored keys are only to be used by an acceptor to
         * decrypt service ticket in AP-REQ. Most impls only allow keys
         * from a keytab on acceptor, but unfortunately (?) Java supports
         * acceptor using password. In this case, if the service ticket is
         * encrypted using an etype which we don't have PA-DATA new salt,
         * using the default salt might be wrong (say, case-insensitive
         * user name). Instead, we would use the new salt of another etype.
         */

        String salt = null;     // the saved new salt
        try {
            for (int i=0; i<eTypes.length; i++) {
                // First round, only calculate those have a PA entry
                PAData.SaltAndParams snp =
                        PAData.getSaltAndParams(eTypes[i], paList);
                if (snp != null) {
                    // Never uses a salt for rc4-hmac, it does not use
                    // a salt at all
                    if (eTypes[i] != EncryptedData.ETYPE_ARCFOUR_HMAC &&
                            snp.salt != null) {
                        salt = snp.salt;
                    }
                    result[i] = EncryptionKey.acquireSecretKey(cname,
                            password,
                            eTypes[i],
                            snp);
                }
            }
            // No new salt from PA, maybe empty, maybe only rc4-hmac
            if (salt == null) salt = cname.getSalt();
            for (int i=0; i<eTypes.length; i++) {
                // Second round, calculate those with no PA entry
                if (result[i] == null) {
                    result[i] = EncryptionKey.acquireSecretKey(password,
                            salt,
                            eTypes[i],
                            null);
                }
            }
        } catch (IOException ioe) {
            KrbException ke = new KrbException(Krb5.ASN1_PARSE_ERROR);
            ke.initCause(ioe);
            throw ke;
        }
        return result;
    } else {
        throw new IllegalStateException("Required password not provided");
    }
}
 
Example 2
Source File: KrbAsReqBuilder.java    From TencentKona-8 with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieves an array of secret keys for the client. This is used when
 * the client supplies password but need keys to act as an acceptor. For
 * an initiator, it must be called after AS-REQ is performed (state is OK).
 * For an acceptor, it can be called when this KrbAsReqBuilder object is
 * constructed (state is INIT).
 * @param isInitiator if the caller is an initiator
 * @return generated keys from password. PA-DATA from server might be used.
 * All "default_tkt_enctypes" keys will be generated, Never null.
 * @throws IllegalStateException if not constructed from a password
 * @throws KrbException
 */
public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException {
    checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys");
    if (password != null) {
        int[] eTypes = EType.getDefaults("default_tkt_enctypes");
        EncryptionKey[] result = new EncryptionKey[eTypes.length];

        /*
         * Returns an array of keys. Before KrbAsReqBuilder, all etypes
         * use the same salt which is either the default one or a new salt
         * coming from PA-DATA. After KrbAsReqBuilder, each etype uses its
         * own new salt from PA-DATA. For an etype with no PA-DATA new salt
         * at all, what salt should it use?
         *
         * Commonly, the stored keys are only to be used by an acceptor to
         * decrypt service ticket in AP-REQ. Most impls only allow keys
         * from a keytab on acceptor, but unfortunately (?) Java supports
         * acceptor using password. In this case, if the service ticket is
         * encrypted using an etype which we don't have PA-DATA new salt,
         * using the default salt might be wrong (say, case-insensitive
         * user name). Instead, we would use the new salt of another etype.
         */

        String salt = null;     // the saved new salt
        try {
            for (int i=0; i<eTypes.length; i++) {
                // First round, only calculate those have a PA entry
                PAData.SaltAndParams snp =
                        PAData.getSaltAndParams(eTypes[i], paList);
                if (snp != null) {
                    // Never uses a salt for rc4-hmac, it does not use
                    // a salt at all
                    if (eTypes[i] != EncryptedData.ETYPE_ARCFOUR_HMAC &&
                            snp.salt != null) {
                        salt = snp.salt;
                    }
                    result[i] = EncryptionKey.acquireSecretKey(cname,
                            password,
                            eTypes[i],
                            snp);
                }
            }
            // No new salt from PA, maybe empty, maybe only rc4-hmac
            if (salt == null) salt = cname.getSalt();
            for (int i=0; i<eTypes.length; i++) {
                // Second round, calculate those with no PA entry
                if (result[i] == null) {
                    result[i] = EncryptionKey.acquireSecretKey(password,
                            salt,
                            eTypes[i],
                            null);
                }
            }
        } catch (IOException ioe) {
            KrbException ke = new KrbException(Krb5.ASN1_PARSE_ERROR);
            ke.initCause(ioe);
            throw ke;
        }
        return result;
    } else {
        throw new IllegalStateException("Required password not provided");
    }
}
 
Example 3
Source File: KrbAsReqBuilder.java    From jdk8u60 with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieves an array of secret keys for the client. This is used when
 * the client supplies password but need keys to act as an acceptor. For
 * an initiator, it must be called after AS-REQ is performed (state is OK).
 * For an acceptor, it can be called when this KrbAsReqBuilder object is
 * constructed (state is INIT).
 * @param isInitiator if the caller is an initiator
 * @return generated keys from password. PA-DATA from server might be used.
 * All "default_tkt_enctypes" keys will be generated, Never null.
 * @throws IllegalStateException if not constructed from a password
 * @throws KrbException
 */
public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException {
    checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys");
    if (password != null) {
        int[] eTypes = EType.getDefaults("default_tkt_enctypes");
        EncryptionKey[] result = new EncryptionKey[eTypes.length];

        /*
         * Returns an array of keys. Before KrbAsReqBuilder, all etypes
         * use the same salt which is either the default one or a new salt
         * coming from PA-DATA. After KrbAsReqBuilder, each etype uses its
         * own new salt from PA-DATA. For an etype with no PA-DATA new salt
         * at all, what salt should it use?
         *
         * Commonly, the stored keys are only to be used by an acceptor to
         * decrypt service ticket in AP-REQ. Most impls only allow keys
         * from a keytab on acceptor, but unfortunately (?) Java supports
         * acceptor using password. In this case, if the service ticket is
         * encrypted using an etype which we don't have PA-DATA new salt,
         * using the default salt might be wrong (say, case-insensitive
         * user name). Instead, we would use the new salt of another etype.
         */

        String salt = null;     // the saved new salt
        try {
            for (int i=0; i<eTypes.length; i++) {
                // First round, only calculate those have a PA entry
                PAData.SaltAndParams snp =
                        PAData.getSaltAndParams(eTypes[i], paList);
                if (snp != null) {
                    // Never uses a salt for rc4-hmac, it does not use
                    // a salt at all
                    if (eTypes[i] != EncryptedData.ETYPE_ARCFOUR_HMAC &&
                            snp.salt != null) {
                        salt = snp.salt;
                    }
                    result[i] = EncryptionKey.acquireSecretKey(cname,
                            password,
                            eTypes[i],
                            snp);
                }
            }
            // No new salt from PA, maybe empty, maybe only rc4-hmac
            if (salt == null) salt = cname.getSalt();
            for (int i=0; i<eTypes.length; i++) {
                // Second round, calculate those with no PA entry
                if (result[i] == null) {
                    result[i] = EncryptionKey.acquireSecretKey(password,
                            salt,
                            eTypes[i],
                            null);
                }
            }
        } catch (IOException ioe) {
            KrbException ke = new KrbException(Krb5.ASN1_PARSE_ERROR);
            ke.initCause(ioe);
            throw ke;
        }
        return result;
    } else {
        throw new IllegalStateException("Required password not provided");
    }
}
 
Example 4
Source File: KrbAsReqBuilder.java    From openjdk-jdk8u with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieves an array of secret keys for the client. This is used when
 * the client supplies password but need keys to act as an acceptor. For
 * an initiator, it must be called after AS-REQ is performed (state is OK).
 * For an acceptor, it can be called when this KrbAsReqBuilder object is
 * constructed (state is INIT).
 * @param isInitiator if the caller is an initiator
 * @return generated keys from password. PA-DATA from server might be used.
 * All "default_tkt_enctypes" keys will be generated, Never null.
 * @throws IllegalStateException if not constructed from a password
 * @throws KrbException
 */
public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException {
    checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys");
    if (password != null) {
        int[] eTypes = EType.getDefaults("default_tkt_enctypes");
        EncryptionKey[] result = new EncryptionKey[eTypes.length];

        /*
         * Returns an array of keys. Before KrbAsReqBuilder, all etypes
         * use the same salt which is either the default one or a new salt
         * coming from PA-DATA. After KrbAsReqBuilder, each etype uses its
         * own new salt from PA-DATA. For an etype with no PA-DATA new salt
         * at all, what salt should it use?
         *
         * Commonly, the stored keys are only to be used by an acceptor to
         * decrypt service ticket in AP-REQ. Most impls only allow keys
         * from a keytab on acceptor, but unfortunately (?) Java supports
         * acceptor using password. In this case, if the service ticket is
         * encrypted using an etype which we don't have PA-DATA new salt,
         * using the default salt might be wrong (say, case-insensitive
         * user name). Instead, we would use the new salt of another etype.
         */

        String salt = null;     // the saved new salt
        try {
            for (int i=0; i<eTypes.length; i++) {
                // First round, only calculate those have a PA entry
                PAData.SaltAndParams snp =
                        PAData.getSaltAndParams(eTypes[i], paList);
                if (snp != null) {
                    // Never uses a salt for rc4-hmac, it does not use
                    // a salt at all
                    if (eTypes[i] != EncryptedData.ETYPE_ARCFOUR_HMAC &&
                            snp.salt != null) {
                        salt = snp.salt;
                    }
                    result[i] = EncryptionKey.acquireSecretKey(cname,
                            password,
                            eTypes[i],
                            snp);
                }
            }
            // No new salt from PA, maybe empty, maybe only rc4-hmac
            if (salt == null) salt = cname.getSalt();
            for (int i=0; i<eTypes.length; i++) {
                // Second round, calculate those with no PA entry
                if (result[i] == null) {
                    result[i] = EncryptionKey.acquireSecretKey(password,
                            salt,
                            eTypes[i],
                            null);
                }
            }
        } catch (IOException ioe) {
            KrbException ke = new KrbException(Krb5.ASN1_PARSE_ERROR);
            ke.initCause(ioe);
            throw ke;
        }
        return result;
    } else {
        throw new IllegalStateException("Required password not provided");
    }
}
 
Example 5
Source File: KrbAsReqBuilder.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieves an array of secret keys for the client. This is used when
 * the client supplies password but need keys to act as an acceptor. For
 * an initiator, it must be called after AS-REQ is performed (state is OK).
 * For an acceptor, it can be called when this KrbAsReqBuilder object is
 * constructed (state is INIT).
 * @param isInitiator if the caller is an initiator
 * @return generated keys from password. PA-DATA from server might be used.
 * All "default_tkt_enctypes" keys will be generated, Never null.
 * @throws IllegalStateException if not constructed from a password
 * @throws KrbException
 */
public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException {
    checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys");
    if (password != null) {
        int[] eTypes = EType.getDefaults("default_tkt_enctypes");
        EncryptionKey[] result = new EncryptionKey[eTypes.length];

        /*
         * Returns an array of keys. Before KrbAsReqBuilder, all etypes
         * use the same salt which is either the default one or a new salt
         * coming from PA-DATA. After KrbAsReqBuilder, each etype uses its
         * own new salt from PA-DATA. For an etype with no PA-DATA new salt
         * at all, what salt should it use?
         *
         * Commonly, the stored keys are only to be used by an acceptor to
         * decrypt service ticket in AP-REQ. Most impls only allow keys
         * from a keytab on acceptor, but unfortunately (?) Java supports
         * acceptor using password. In this case, if the service ticket is
         * encrypted using an etype which we don't have PA-DATA new salt,
         * using the default salt might be wrong (say, case-insensitive
         * user name). Instead, we would use the new salt of another etype.
         */

        String salt = null;     // the saved new salt
        try {
            for (int i=0; i<eTypes.length; i++) {
                // First round, only calculate those have a PA entry
                PAData.SaltAndParams snp =
                        PAData.getSaltAndParams(eTypes[i], paList);
                if (snp != null) {
                    // Never uses a salt for rc4-hmac, it does not use
                    // a salt at all
                    if (eTypes[i] != EncryptedData.ETYPE_ARCFOUR_HMAC &&
                            snp.salt != null) {
                        salt = snp.salt;
                    }
                    result[i] = EncryptionKey.acquireSecretKey(cname,
                            password,
                            eTypes[i],
                            snp);
                }
            }
            // No new salt from PA, maybe empty, maybe only rc4-hmac
            if (salt == null) salt = cname.getSalt();
            for (int i=0; i<eTypes.length; i++) {
                // Second round, calculate those with no PA entry
                if (result[i] == null) {
                    result[i] = EncryptionKey.acquireSecretKey(password,
                            salt,
                            eTypes[i],
                            null);
                }
            }
        } catch (IOException ioe) {
            KrbException ke = new KrbException(Krb5.ASN1_PARSE_ERROR);
            ke.initCause(ioe);
            throw ke;
        }
        return result;
    } else {
        throw new IllegalStateException("Required password not provided");
    }
}
 
Example 6
Source File: KrbAsReqBuilder.java    From openjdk-jdk9 with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieves an array of secret keys for the client. This is used when
 * the client supplies password but need keys to act as an acceptor. For
 * an initiator, it must be called after AS-REQ is performed (state is OK).
 * For an acceptor, it can be called when this KrbAsReqBuilder object is
 * constructed (state is INIT).
 * @param isInitiator if the caller is an initiator
 * @return generated keys from password. PA-DATA from server might be used.
 * All "default_tkt_enctypes" keys will be generated, Never null.
 * @throws IllegalStateException if not constructed from a password
 * @throws KrbException
 */
public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException {
    checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys");
    if (password != null) {
        int[] eTypes = EType.getDefaults("default_tkt_enctypes");
        EncryptionKey[] result = new EncryptionKey[eTypes.length];

        /*
         * Returns an array of keys. Before KrbAsReqBuilder, all etypes
         * use the same salt which is either the default one or a new salt
         * coming from PA-DATA. After KrbAsReqBuilder, each etype uses its
         * own new salt from PA-DATA. For an etype with no PA-DATA new salt
         * at all, what salt should it use?
         *
         * Commonly, the stored keys are only to be used by an acceptor to
         * decrypt service ticket in AP-REQ. Most impls only allow keys
         * from a keytab on acceptor, but unfortunately (?) Java supports
         * acceptor using password. In this case, if the service ticket is
         * encrypted using an etype which we don't have PA-DATA new salt,
         * using the default salt might be wrong (say, case-insensitive
         * user name). Instead, we would use the new salt of another etype.
         */

        String salt = null;     // the saved new salt
        try {
            for (int i=0; i<eTypes.length; i++) {
                // First round, only calculate those have a PA entry
                PAData.SaltAndParams snp =
                        PAData.getSaltAndParams(eTypes[i], paList);
                if (snp != null) {
                    // Never uses a salt for rc4-hmac, it does not use
                    // a salt at all
                    if (eTypes[i] != EncryptedData.ETYPE_ARCFOUR_HMAC &&
                            snp.salt != null) {
                        salt = snp.salt;
                    }
                    result[i] = EncryptionKey.acquireSecretKey(cname,
                            password,
                            eTypes[i],
                            snp);
                }
            }
            // No new salt from PA, maybe empty, maybe only rc4-hmac
            if (salt == null) salt = cname.getSalt();
            for (int i=0; i<eTypes.length; i++) {
                // Second round, calculate those with no PA entry
                if (result[i] == null) {
                    result[i] = EncryptionKey.acquireSecretKey(password,
                            salt,
                            eTypes[i],
                            null);
                }
            }
        } catch (IOException ioe) {
            KrbException ke = new KrbException(Krb5.ASN1_PARSE_ERROR);
            ke.initCause(ioe);
            throw ke;
        }
        return result;
    } else {
        throw new IllegalStateException("Required password not provided");
    }
}
 
Example 7
Source File: KrbAsReqBuilder.java    From jdk8u-jdk with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieves an array of secret keys for the client. This is used when
 * the client supplies password but need keys to act as an acceptor. For
 * an initiator, it must be called after AS-REQ is performed (state is OK).
 * For an acceptor, it can be called when this KrbAsReqBuilder object is
 * constructed (state is INIT).
 * @param isInitiator if the caller is an initiator
 * @return generated keys from password. PA-DATA from server might be used.
 * All "default_tkt_enctypes" keys will be generated, Never null.
 * @throws IllegalStateException if not constructed from a password
 * @throws KrbException
 */
public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException {
    checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys");
    if (password != null) {
        int[] eTypes = EType.getDefaults("default_tkt_enctypes");
        EncryptionKey[] result = new EncryptionKey[eTypes.length];

        /*
         * Returns an array of keys. Before KrbAsReqBuilder, all etypes
         * use the same salt which is either the default one or a new salt
         * coming from PA-DATA. After KrbAsReqBuilder, each etype uses its
         * own new salt from PA-DATA. For an etype with no PA-DATA new salt
         * at all, what salt should it use?
         *
         * Commonly, the stored keys are only to be used by an acceptor to
         * decrypt service ticket in AP-REQ. Most impls only allow keys
         * from a keytab on acceptor, but unfortunately (?) Java supports
         * acceptor using password. In this case, if the service ticket is
         * encrypted using an etype which we don't have PA-DATA new salt,
         * using the default salt might be wrong (say, case-insensitive
         * user name). Instead, we would use the new salt of another etype.
         */

        String salt = null;     // the saved new salt
        try {
            for (int i=0; i<eTypes.length; i++) {
                // First round, only calculate those have a PA entry
                PAData.SaltAndParams snp =
                        PAData.getSaltAndParams(eTypes[i], paList);
                if (snp != null) {
                    // Never uses a salt for rc4-hmac, it does not use
                    // a salt at all
                    if (eTypes[i] != EncryptedData.ETYPE_ARCFOUR_HMAC &&
                            snp.salt != null) {
                        salt = snp.salt;
                    }
                    result[i] = EncryptionKey.acquireSecretKey(cname,
                            password,
                            eTypes[i],
                            snp);
                }
            }
            // No new salt from PA, maybe empty, maybe only rc4-hmac
            if (salt == null) salt = cname.getSalt();
            for (int i=0; i<eTypes.length; i++) {
                // Second round, calculate those with no PA entry
                if (result[i] == null) {
                    result[i] = EncryptionKey.acquireSecretKey(password,
                            salt,
                            eTypes[i],
                            null);
                }
            }
        } catch (IOException ioe) {
            KrbException ke = new KrbException(Krb5.ASN1_PARSE_ERROR);
            ke.initCause(ioe);
            throw ke;
        }
        return result;
    } else {
        throw new IllegalStateException("Required password not provided");
    }
}
 
Example 8
Source File: KrbAsReqBuilder.java    From hottub with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieves an array of secret keys for the client. This is used when
 * the client supplies password but need keys to act as an acceptor. For
 * an initiator, it must be called after AS-REQ is performed (state is OK).
 * For an acceptor, it can be called when this KrbAsReqBuilder object is
 * constructed (state is INIT).
 * @param isInitiator if the caller is an initiator
 * @return generated keys from password. PA-DATA from server might be used.
 * All "default_tkt_enctypes" keys will be generated, Never null.
 * @throws IllegalStateException if not constructed from a password
 * @throws KrbException
 */
public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException {
    checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys");
    if (password != null) {
        int[] eTypes = EType.getDefaults("default_tkt_enctypes");
        EncryptionKey[] result = new EncryptionKey[eTypes.length];

        /*
         * Returns an array of keys. Before KrbAsReqBuilder, all etypes
         * use the same salt which is either the default one or a new salt
         * coming from PA-DATA. After KrbAsReqBuilder, each etype uses its
         * own new salt from PA-DATA. For an etype with no PA-DATA new salt
         * at all, what salt should it use?
         *
         * Commonly, the stored keys are only to be used by an acceptor to
         * decrypt service ticket in AP-REQ. Most impls only allow keys
         * from a keytab on acceptor, but unfortunately (?) Java supports
         * acceptor using password. In this case, if the service ticket is
         * encrypted using an etype which we don't have PA-DATA new salt,
         * using the default salt might be wrong (say, case-insensitive
         * user name). Instead, we would use the new salt of another etype.
         */

        String salt = null;     // the saved new salt
        try {
            for (int i=0; i<eTypes.length; i++) {
                // First round, only calculate those have a PA entry
                PAData.SaltAndParams snp =
                        PAData.getSaltAndParams(eTypes[i], paList);
                if (snp != null) {
                    // Never uses a salt for rc4-hmac, it does not use
                    // a salt at all
                    if (eTypes[i] != EncryptedData.ETYPE_ARCFOUR_HMAC &&
                            snp.salt != null) {
                        salt = snp.salt;
                    }
                    result[i] = EncryptionKey.acquireSecretKey(cname,
                            password,
                            eTypes[i],
                            snp);
                }
            }
            // No new salt from PA, maybe empty, maybe only rc4-hmac
            if (salt == null) salt = cname.getSalt();
            for (int i=0; i<eTypes.length; i++) {
                // Second round, calculate those with no PA entry
                if (result[i] == null) {
                    result[i] = EncryptionKey.acquireSecretKey(password,
                            salt,
                            eTypes[i],
                            null);
                }
            }
        } catch (IOException ioe) {
            KrbException ke = new KrbException(Krb5.ASN1_PARSE_ERROR);
            ke.initCause(ioe);
            throw ke;
        }
        return result;
    } else {
        throw new IllegalStateException("Required password not provided");
    }
}
 
Example 9
Source File: KrbAsReqBuilder.java    From openjdk-8-source with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieves an array of secret keys for the client. This is used when
 * the client supplies password but need keys to act as an acceptor. For
 * an initiator, it must be called after AS-REQ is performed (state is OK).
 * For an acceptor, it can be called when this KrbAsReqBuilder object is
 * constructed (state is INIT).
 * @param isInitiator if the caller is an initiator
 * @return generated keys from password. PA-DATA from server might be used.
 * All "default_tkt_enctypes" keys will be generated, Never null.
 * @throws IllegalStateException if not constructed from a password
 * @throws KrbException
 */
public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException {
    checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys");
    if (password != null) {
        int[] eTypes = EType.getDefaults("default_tkt_enctypes");
        EncryptionKey[] result = new EncryptionKey[eTypes.length];

        /*
         * Returns an array of keys. Before KrbAsReqBuilder, all etypes
         * use the same salt which is either the default one or a new salt
         * coming from PA-DATA. After KrbAsReqBuilder, each etype uses its
         * own new salt from PA-DATA. For an etype with no PA-DATA new salt
         * at all, what salt should it use?
         *
         * Commonly, the stored keys are only to be used by an acceptor to
         * decrypt service ticket in AP-REQ. Most impls only allow keys
         * from a keytab on acceptor, but unfortunately (?) Java supports
         * acceptor using password. In this case, if the service ticket is
         * encrypted using an etype which we don't have PA-DATA new salt,
         * using the default salt might be wrong (say, case-insensitive
         * user name). Instead, we would use the new salt of another etype.
         */

        String salt = null;     // the saved new salt
        try {
            for (int i=0; i<eTypes.length; i++) {
                // First round, only calculate those have a PA entry
                PAData.SaltAndParams snp =
                        PAData.getSaltAndParams(eTypes[i], paList);
                if (snp != null) {
                    // Never uses a salt for rc4-hmac, it does not use
                    // a salt at all
                    if (eTypes[i] != EncryptedData.ETYPE_ARCFOUR_HMAC &&
                            snp.salt != null) {
                        salt = snp.salt;
                    }
                    result[i] = EncryptionKey.acquireSecretKey(cname,
                            password,
                            eTypes[i],
                            snp);
                }
            }
            // No new salt from PA, maybe empty, maybe only rc4-hmac
            if (salt == null) salt = cname.getSalt();
            for (int i=0; i<eTypes.length; i++) {
                // Second round, calculate those with no PA entry
                if (result[i] == null) {
                    result[i] = EncryptionKey.acquireSecretKey(password,
                            salt,
                            eTypes[i],
                            null);
                }
            }
        } catch (IOException ioe) {
            KrbException ke = new KrbException(Krb5.ASN1_PARSE_ERROR);
            ke.initCause(ioe);
            throw ke;
        }
        return result;
    } else {
        throw new IllegalStateException("Required password not provided");
    }
}
 
Example 10
Source File: KrbAsReqBuilder.java    From openjdk-8 with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieves an array of secret keys for the client. This is used when
 * the client supplies password but need keys to act as an acceptor. For
 * an initiator, it must be called after AS-REQ is performed (state is OK).
 * For an acceptor, it can be called when this KrbAsReqBuilder object is
 * constructed (state is INIT).
 * @param isInitiator if the caller is an initiator
 * @return generated keys from password. PA-DATA from server might be used.
 * All "default_tkt_enctypes" keys will be generated, Never null.
 * @throws IllegalStateException if not constructed from a password
 * @throws KrbException
 */
public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException {
    checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys");
    if (password != null) {
        int[] eTypes = EType.getDefaults("default_tkt_enctypes");
        EncryptionKey[] result = new EncryptionKey[eTypes.length];

        /*
         * Returns an array of keys. Before KrbAsReqBuilder, all etypes
         * use the same salt which is either the default one or a new salt
         * coming from PA-DATA. After KrbAsReqBuilder, each etype uses its
         * own new salt from PA-DATA. For an etype with no PA-DATA new salt
         * at all, what salt should it use?
         *
         * Commonly, the stored keys are only to be used by an acceptor to
         * decrypt service ticket in AP-REQ. Most impls only allow keys
         * from a keytab on acceptor, but unfortunately (?) Java supports
         * acceptor using password. In this case, if the service ticket is
         * encrypted using an etype which we don't have PA-DATA new salt,
         * using the default salt might be wrong (say, case-insensitive
         * user name). Instead, we would use the new salt of another etype.
         */

        String salt = null;     // the saved new salt
        try {
            for (int i=0; i<eTypes.length; i++) {
                // First round, only calculate those have a PA entry
                PAData.SaltAndParams snp =
                        PAData.getSaltAndParams(eTypes[i], paList);
                if (snp != null) {
                    // Never uses a salt for rc4-hmac, it does not use
                    // a salt at all
                    if (eTypes[i] != EncryptedData.ETYPE_ARCFOUR_HMAC &&
                            snp.salt != null) {
                        salt = snp.salt;
                    }
                    result[i] = EncryptionKey.acquireSecretKey(cname,
                            password,
                            eTypes[i],
                            snp);
                }
            }
            // No new salt from PA, maybe empty, maybe only rc4-hmac
            if (salt == null) salt = cname.getSalt();
            for (int i=0; i<eTypes.length; i++) {
                // Second round, calculate those with no PA entry
                if (result[i] == null) {
                    result[i] = EncryptionKey.acquireSecretKey(password,
                            salt,
                            eTypes[i],
                            null);
                }
            }
        } catch (IOException ioe) {
            KrbException ke = new KrbException(Krb5.ASN1_PARSE_ERROR);
            ke.initCause(ioe);
            throw ke;
        }
        return result;
    } else {
        throw new IllegalStateException("Required password not provided");
    }
}
 
Example 11
Source File: KrbAsReqBuilder.java    From jdk8u_jdk with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieves an array of secret keys for the client. This is used when
 * the client supplies password but need keys to act as an acceptor. For
 * an initiator, it must be called after AS-REQ is performed (state is OK).
 * For an acceptor, it can be called when this KrbAsReqBuilder object is
 * constructed (state is INIT).
 * @param isInitiator if the caller is an initiator
 * @return generated keys from password. PA-DATA from server might be used.
 * All "default_tkt_enctypes" keys will be generated, Never null.
 * @throws IllegalStateException if not constructed from a password
 * @throws KrbException
 */
public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException {
    checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys");
    if (password != null) {
        int[] eTypes = EType.getDefaults("default_tkt_enctypes");
        EncryptionKey[] result = new EncryptionKey[eTypes.length];

        /*
         * Returns an array of keys. Before KrbAsReqBuilder, all etypes
         * use the same salt which is either the default one or a new salt
         * coming from PA-DATA. After KrbAsReqBuilder, each etype uses its
         * own new salt from PA-DATA. For an etype with no PA-DATA new salt
         * at all, what salt should it use?
         *
         * Commonly, the stored keys are only to be used by an acceptor to
         * decrypt service ticket in AP-REQ. Most impls only allow keys
         * from a keytab on acceptor, but unfortunately (?) Java supports
         * acceptor using password. In this case, if the service ticket is
         * encrypted using an etype which we don't have PA-DATA new salt,
         * using the default salt might be wrong (say, case-insensitive
         * user name). Instead, we would use the new salt of another etype.
         */

        String salt = null;     // the saved new salt
        try {
            for (int i=0; i<eTypes.length; i++) {
                // First round, only calculate those have a PA entry
                PAData.SaltAndParams snp =
                        PAData.getSaltAndParams(eTypes[i], paList);
                if (snp != null) {
                    // Never uses a salt for rc4-hmac, it does not use
                    // a salt at all
                    if (eTypes[i] != EncryptedData.ETYPE_ARCFOUR_HMAC &&
                            snp.salt != null) {
                        salt = snp.salt;
                    }
                    result[i] = EncryptionKey.acquireSecretKey(cname,
                            password,
                            eTypes[i],
                            snp);
                }
            }
            // No new salt from PA, maybe empty, maybe only rc4-hmac
            if (salt == null) salt = cname.getSalt();
            for (int i=0; i<eTypes.length; i++) {
                // Second round, calculate those with no PA entry
                if (result[i] == null) {
                    result[i] = EncryptionKey.acquireSecretKey(password,
                            salt,
                            eTypes[i],
                            null);
                }
            }
        } catch (IOException ioe) {
            KrbException ke = new KrbException(Krb5.ASN1_PARSE_ERROR);
            ke.initCause(ioe);
            throw ke;
        }
        return result;
    } else {
        throw new IllegalStateException("Required password not provided");
    }
}
 
Example 12
Source File: KrbAsReqBuilder.java    From jdk8u-jdk with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieves an array of secret keys for the client. This is used when
 * the client supplies password but need keys to act as an acceptor. For
 * an initiator, it must be called after AS-REQ is performed (state is OK).
 * For an acceptor, it can be called when this KrbAsReqBuilder object is
 * constructed (state is INIT).
 * @param isInitiator if the caller is an initiator
 * @return generated keys from password. PA-DATA from server might be used.
 * All "default_tkt_enctypes" keys will be generated, Never null.
 * @throws IllegalStateException if not constructed from a password
 * @throws KrbException
 */
public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException {
    checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys");
    if (password != null) {
        int[] eTypes = EType.getDefaults("default_tkt_enctypes");
        EncryptionKey[] result = new EncryptionKey[eTypes.length];

        /*
         * Returns an array of keys. Before KrbAsReqBuilder, all etypes
         * use the same salt which is either the default one or a new salt
         * coming from PA-DATA. After KrbAsReqBuilder, each etype uses its
         * own new salt from PA-DATA. For an etype with no PA-DATA new salt
         * at all, what salt should it use?
         *
         * Commonly, the stored keys are only to be used by an acceptor to
         * decrypt service ticket in AP-REQ. Most impls only allow keys
         * from a keytab on acceptor, but unfortunately (?) Java supports
         * acceptor using password. In this case, if the service ticket is
         * encrypted using an etype which we don't have PA-DATA new salt,
         * using the default salt might be wrong (say, case-insensitive
         * user name). Instead, we would use the new salt of another etype.
         */

        String salt = null;     // the saved new salt
        try {
            for (int i=0; i<eTypes.length; i++) {
                // First round, only calculate those have a PA entry
                PAData.SaltAndParams snp =
                        PAData.getSaltAndParams(eTypes[i], paList);
                if (snp != null) {
                    // Never uses a salt for rc4-hmac, it does not use
                    // a salt at all
                    if (eTypes[i] != EncryptedData.ETYPE_ARCFOUR_HMAC &&
                            snp.salt != null) {
                        salt = snp.salt;
                    }
                    result[i] = EncryptionKey.acquireSecretKey(cname,
                            password,
                            eTypes[i],
                            snp);
                }
            }
            // No new salt from PA, maybe empty, maybe only rc4-hmac
            if (salt == null) salt = cname.getSalt();
            for (int i=0; i<eTypes.length; i++) {
                // Second round, calculate those with no PA entry
                if (result[i] == null) {
                    result[i] = EncryptionKey.acquireSecretKey(password,
                            salt,
                            eTypes[i],
                            null);
                }
            }
        } catch (IOException ioe) {
            KrbException ke = new KrbException(Krb5.ASN1_PARSE_ERROR);
            ke.initCause(ioe);
            throw ke;
        }
        return result;
    } else {
        throw new IllegalStateException("Required password not provided");
    }
}
 
Example 13
Source File: KrbAsReqBuilder.java    From jdk8u-dev-jdk with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Retrieves an array of secret keys for the client. This is used when
 * the client supplies password but need keys to act as an acceptor. For
 * an initiator, it must be called after AS-REQ is performed (state is OK).
 * For an acceptor, it can be called when this KrbAsReqBuilder object is
 * constructed (state is INIT).
 * @param isInitiator if the caller is an initiator
 * @return generated keys from password. PA-DATA from server might be used.
 * All "default_tkt_enctypes" keys will be generated, Never null.
 * @throws IllegalStateException if not constructed from a password
 * @throws KrbException
 */
public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException {
    checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys");
    if (password != null) {
        int[] eTypes = EType.getDefaults("default_tkt_enctypes");
        EncryptionKey[] result = new EncryptionKey[eTypes.length];

        /*
         * Returns an array of keys. Before KrbAsReqBuilder, all etypes
         * use the same salt which is either the default one or a new salt
         * coming from PA-DATA. After KrbAsReqBuilder, each etype uses its
         * own new salt from PA-DATA. For an etype with no PA-DATA new salt
         * at all, what salt should it use?
         *
         * Commonly, the stored keys are only to be used by an acceptor to
         * decrypt service ticket in AP-REQ. Most impls only allow keys
         * from a keytab on acceptor, but unfortunately (?) Java supports
         * acceptor using password. In this case, if the service ticket is
         * encrypted using an etype which we don't have PA-DATA new salt,
         * using the default salt might be wrong (say, case-insensitive
         * user name). Instead, we would use the new salt of another etype.
         */

        String salt = null;     // the saved new salt
        try {
            for (int i=0; i<eTypes.length; i++) {
                // First round, only calculate those have a PA entry
                PAData.SaltAndParams snp =
                        PAData.getSaltAndParams(eTypes[i], paList);
                if (snp != null) {
                    // Never uses a salt for rc4-hmac, it does not use
                    // a salt at all
                    if (eTypes[i] != EncryptedData.ETYPE_ARCFOUR_HMAC &&
                            snp.salt != null) {
                        salt = snp.salt;
                    }
                    result[i] = EncryptionKey.acquireSecretKey(cname,
                            password,
                            eTypes[i],
                            snp);
                }
            }
            // No new salt from PA, maybe empty, maybe only rc4-hmac
            if (salt == null) salt = cname.getSalt();
            for (int i=0; i<eTypes.length; i++) {
                // Second round, calculate those with no PA entry
                if (result[i] == null) {
                    result[i] = EncryptionKey.acquireSecretKey(password,
                            salt,
                            eTypes[i],
                            null);
                }
            }
        } catch (IOException ioe) {
            KrbException ke = new KrbException(Krb5.ASN1_PARSE_ERROR);
            ke.initCause(ioe);
            throw ke;
        }
        return result;
    } else {
        throw new IllegalStateException("Required password not provided");
    }
}